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Abstract. Londahl and Johansson proposed last year a variant of the McEliece cryptosys- 
tem which replaces Goppa codes by convolutional codes. This modification is supposed to 
make structural attacks more difficult since the public generator matrix of this scheme con- 
tains large parts which are generated completely at random. They proposed two schemes of 
this kind, one of them consists in taking a Goppa code and extending it by adding a gen- 
erator matrix of a time varying convolutional code. We show here that this scheme can be 
successfully attacked by looking for low-weight codewords in the public code of this scheme 
and using it to unravel the convolutional part, ft remains to break the Goppa part of this 
scheme which can be done in less than a day of computation in the case at hand. 

Keywords. Code-based cryptography, McEliece cryptosystem, convolutional codes, crypt- 
analysis. 

1 Introduction 

In |Sho97] , Peter Shor showed that all cryptosystems based on the hardness of factoring or taking a 
discrete logarithm can be attacked in polynomial time with a quantum computer (see }BBD09j for 
an extensive report). This threatens most if not all public- key cryptosystems deployed in practice, 
such as RSA RSA78 or DSA Kra91J. Cryptography based on the difficulty of decoding a linear 
code, on the other hand, is believed to resist quantum attacks and is therefore considered as a viable 
replacement for those schemes in future applications. Yet, independently of their so-called "post- 
quantum" nature, code-based cryptosystems offer other benefits even for present-day applications 
due to their excellent algorithmic efficiency, which is up to several orders of complexity better than 
traditional schemes. 

The first code-based cryptosystem is the McEliece cryptosystem [McE78j , originally proposed 
using Goppa codes. Afterwards several code families have been suggested to replace the Goppa 
codes in this scheme: generalized Reed-Solomon codes (GRS) Nie86] or subcodes of them |BL05j . 
Reed-Muller codes |Sid94j . algebraic geometry codes |JM96j . LDPC codes |BBC08j . MDPC codes 
MTSB12 or more recently convolutional codes |LJ12| . Some of these schemes allow to reduce the 
public key size compared to the original McEliece cryptosystem while keeping the same level of 
security against generic decoding algorithms. 

However, for several of the aforementioned schemes it has been shown that a description of the 
underlying code suitable for decoding can be obtained- this breaks the corresponding scheme. This 
has been achieved for generalized Reed-Solomon codes in [SS92] and for subcodes of generalized 
Reed-Solomon codes in |WielO| . In this case, the attack takes polynomial time and recovers the 
complete structure of the underlying generalized Reed-Solomon code from the public key G". 
The Reed-Muller code scheme has also been attacked, but this time the algorithm recovering 
the secret description of the permuted Reed-Muller code has sub-exponential complexity MS07 
which is enough for attacking the scheme with the parameters proposed in |Sid94j but which is not 
sufficient to break the scheme completely. Algebraic geometry codes are broken in polynomial time 
but only for low genus hyperelliptic curves [FM08 . Finally, it should be mentioned that a first 
version of the scheme based on LDPC codes proposed in [BC07 has been successfully attacked in 
|OTD10| (but the new scheme proposed in [BBC08J seems to be immune to this kind of attack) 



and that a variant |BBC + 11 of the generalized Reed- Solomon scheme w hich was supposed to 
resist to the attack of [SS92J has recently been broken in |GOT12lCGG + 12 by an approach which 
is related to the distinguisher of Goppa codes which is proposed in [FGO + 10lFGO + li] . 

The original McEliece cryptosystem with Goppa codes is still unbroken. It was modified in 
BCGO09 MB09 by considering quasi-cyclic or quasi-dyadic versions of Goppa codes (or more 
generally of alternant codes in [BCGO09 ) in order to reduce significantly the key size. However, 
in this case it was shown that the added structure allows a drastic reduction of the number 
of unknowns in algebraic attacks and most of the schemes proposed in [BCGO09 MB09] were 
broken by this approach. This kind of attack has exponential complexity and it can be thwarted 
by choosing smaller cyclic or dyadic blocks in this approach in order to increase the number of 
unknowns of the algebraic system. When the rate of the Goppa code is close to 1 (as is the case 
in signature schemes for instance |CFS01j ) then it has been shown in |FG(2] that the public key 
can be distinguished from a random public key. This invalidates all existing security proofs of the 
McEliece cryptosystem when the code rate is close to 1 since they all rely on the hardness of two 
problems: the hardness of decoding a generic linear code on one hand and the indistinguishability 
of the Goppa code family on the other hand. 

These algebraic attacks motivate the research of alternatives to Goppa codes in the McEliece 
cryptosystem and it raises the issue of what kind of codes can be chosen in the McEliece cryptosys- 
tem. The proposal with convolutional codes made in |LJ12] falls into this thread of research. What 
makes this new scheme interesting is the fact that its secret generator matrix contains large parts 
which are generated completely at random and has no algebraic structure as in other schemes 
such as generalized Reed-Solomon codes, algebraic geometry codes, Goppa codes or Reed-Muller 
codes. 

In |LJ12j two schemes are given. The first one simply considers as the secret key the generator 
matrix of a time varying tail-biting convolutional code. A scheme for which it is supposed to resist 
to attacks of time complexity of about 2 80 elementary operations is suggested and has reasonable 
decoding complexity. This construction presents however the drawback that the complexity of 
decoding scales exponentially with the security level measured in bits. The authors give a second 
scheme which is scalable and which is built upon a Goppa code and extends it by adding a 
generator matrix of a time varying convolutional code. 

We study the security of this second scheme in this article. It was advocated that the convo- 
lutional structure of the code can not be recovered due to the fact that the dual code has large 
enough minimum distance. However, we show here that this scheme can be successfully attacked 
by looking for low-weight codewords in the public code of this scheme. By a suitable filtering 
procedure of these low weight codewords we can unravel the convolutional part. 

The main point which makes this attack feasible is the following phenomenon : the public code 
of this scheme contains subcodes of much smaller support but whose rate is not much smaller than 
the rate of the public code. The support of such codes can be easily found by low weight codewords 
algorithms. It is worthwhile to notice that the code-based KKS signature scheme [KKS97J could 
be broken with exactly the same approach |OTllj . It turns out that the support of these subcodes 
reveals the convolutional structure. By suitably puncturing the public code, there is only the 
Goppa part which remains. Deciphering an encrypted message can then be done because for the 
concrete parameters example provided in [LJ12j , algorithms for decoding general linear codes can 
be used in this case to decode the Goppa code successfully. This attack works successfully on the 
parameters proposed in |LJ12j and needs only a few hours of computation. It should be possible 
to change the parameters of the scheme to avoid this kind of attack. In order to do so an improved 
attack is suggested in Subsection |5.1| its complexity is analyzed in Section [5j This suggests that 
it should be possible to repair the scheme by fixing the parameters in a more conservative way. 



Some indications about how to perform such a task are given in Subsection 5.3 



2 The McEliece scheme based on convolutional codes 



The scheme can be summarized as follows. 



Secret key. 

— G scc is a k x n generator matrix which has a block form specified in Figure [T] 

— P is an n X n permutation matrix; 

— S is a k x k random invertible matrix over Fj. 

dcf 

Public key. G pub = SG SCC P. 

Encryption. The ciphertext c g of a plaintext m E F% is obtained by drawing at random e 

dcf 

in F2 of weight equal to some quantity t and computing c = mG pu b + e - 
Decryption. It consists in performing the following steps 

1. Calculating c' = f cP 1 = mSG scc + eP~ x and using the decoding algorithm of the code 
with generator matrix G sec to recover mS from the knowledge of c'; 

2. Multiplying the result of the decoding by S^ 1 to recover m. 

The point of the whole construction is that if t is well chosen, then with high probability 
the Goppa code part can be decoded, and this allows a sequential decoder of the time varying 
convolutional code to decode the remaining errors. From now on we will denote by ^ pu b the code 
with generator matrix G pu b and by ffsec the code with generator matrix G scc . 



Goppa part : n columns convolutional part: Lc columns randoni part 



G : 

sec 



Lb 



m.b 



c c 



Fig. 1. The secret generator matrix. The areas in light pink indicate the only non zero parts of the 
matrix. Gb is a generator matrix of a binary Goppa code of length ub and dimension fcs. This matrix is 
concatenated with a matrix of a time varying binary convolutional code where b bits of information are 
transformed into c bits of data (the corresponding Gij blocks are therefore all of size bx c) and terminated 

dcf 

with c random columns at the end. The dimension of the corresponding code is k — ks + Lb and the 
length is n = ng + (L + l)c where L is the time duration of the convolutional code. 



3 Description of the Attack 

The purpose of this section is to explain the idea underlying our attack which is a message recovery 
attack taking advantage of a partial key recovery attack. The attack is divided in two main steps. 
The first step consists in a (partial) key recovery attack aiming at unraveling the convolutional 
structure. The second part consists in a message recovery attack taking advantage of the fact 



that if the convolutional part is recovered, then an attacker can decrypt a message with good 
probability if he is able to decode a linear code of dimension ks and length n b when there are less 
than ts = errors (this is the average number of errors that the Goppa code has to decode). 

3.1 Unraveling the convolutional structure 

The authors have chosen the parameters of the scheme proposed in |LJ12j so that it remains hard 
to find low- weight codewords in the dual of the public code ^p U b- It is advocated in |LJ12j that 
in their case the only deviation from a random code is the convolutional structure in terms of low 
weight parity-checks. For instance, the following parameters are suggested (n, k) = (1800, 1200) 
and in the construction phase the authors propose to throw away any code who would have parity- 
checks of weight less than 125. However, the fact that the structure of ^ pu b leads in a natural 
way to low weight codewords is not taken into account. Indeed, we expect many (i.e. about 2 b ~ 1 ) 
codewords of weight less than or equal to c. This comes from the fact that the subcode of ^ pu b 
generated by the last b rows of G scc (and permuted by P) has support of size 2c and dimension 
b. Therefore any algorithm aiming at finding codewords of weight less than c say should output 
such codewords. Looking at the support of such codewords reveals the 2c last columns of G scc . By 
puncturing these columns and starting this process again but this time by looking for codewords 
of weight less than c/2 (since this time the punctured code contains a subcode of dimension b and 
support of size c arising from the penultimate block of rows of Gscc) will reveal the following block 
of c columns of the matrix. In other words we expect to capture by these means a first subcode 
of dimension b and support the 2c last positions of ^ S ec- Then we expect a second subcode of 
dimension b with support the 3c last positions of ^ pu b and so on and so forth. Finally we expect 
to be able after suitable column swapping to obtain the generator matrix G' of an equivalent code 
to ^p U b which would have the form indicated in Figure [2] 



Goppa part : n columns 



convolutional+random part:(L+/ )c columns 



G'= 



Lb 



2c 



Fig. 2. The generator matrix of an equivalent code obtained by our approach. G' B denotes the generator 
matrix of a Goppa code which is equivalent to the code with generator matrix G b ■ 



More precisely the algorithm for finding a generator matrix of a code equivalent to ^p U b is 
given by Algorithm [I] given below. 
We assume here that : 



Algorithm 1 An algorithm for finding G' . 



input: Gpub the public generator matrix 

output: a generator matrix G' of a code equivalent to ^p U b which has the form indicated in Fig. [2] 

for i — L, . . . ,1 do 

G <S— GeneratorMatrixPuncturedCodef^pub, C) 
G LowWeigh.t(G, w) 
w Function(i) 

d <— ExtendedGeneratorMatrix(G, £, ^pub) 
C <- Support (G) I \C 
end for 

G GeneratorMatrixPuncturedCodef^pub, -C) 

Go <S— ExtendedGeneratorMatrix(G, £., ffpub) 

G' is the concatenation of the rows of Go, Gi, . . . ,Gl- 

return G' 



— the function GeneratorMatrixPuncturedCode takes as input a code ^ of length n and an 
ordered set of positions C which is a sublist of [1, 2, . . . , n] and outputs a generator matrix of 
^ punctured in the positions belonging to £; 

— Function will be a certain function which will be specified later on; 

— Support (^) yields the (ordered) support of ^ and || is the concatenation of lists; 

— the function LowWeight takes as input a code and a weight w. It outputs a generator 
matrix of a subcode of ^ obtained by looking for codewords of weight less than or equal to w. 
Basically a certain number of codewords of weight < w are produced and the positions which 
are involved in at least t codewords are put in a list C (where t is some threshold depending on 
the weight w, the length n of the code, its dimension k and the number of codewords produced 
by the previous algorithm), which means that i is taken as soon as there are at least c elements 
in 'r? for which a = 1. Then a generator matrix for the subcode of ^ formed by the codewords 
of whose coordinates outside C are all equal to is returned. See Algorithm [2] for further 
details. 

— the function ExtendedGeneratorMatrix takes as input a generator matrix of some code 

an ordered set of positions C and a code c <§ such that c €' is the result of the puncturing of ^ 
in the positions belonging to L. It outputs a generator matrix of the permuted subcode < €" 
of whose positions are reordered in such a way that the first positions correspond to the 
positions of ^" and the remaining positions to the ordered list C. This code c £" corresponds 
to the codewords of c £' which are extended as codewords of ^ over the positions belonging to 
C in an arbitrary linear way. 



3.2 Finishing the job : decoding the code with generator matrix G' B 

If we are able to decode the code with generator matrix G' B , then standard sequential decoding al- 
gorithms for convolutional codes will allow to decode the last (L+l)c positions. Let G' B be the gen- 
erator matrix of a code equivalent to the secret Goppa code chosen for the scheme specified in Fig- 
ure]^ Decoding such a code can be done by algorithms aiming at decoding generic linear codes such 
as Stern's algorithm |Ste88j and its subsequent improvements |Dum91IBLPlllMMTlllBJMM12] . 
This can be done for the parameters suggested in |LJ12j . 

4 Implementation of the attack for the parameters suggested in [LJ12J 

We have carried out the attack on the parameters suggested in |LJ12] . They are provided in Table 

m 



Algorithm 2 LowWeight(G, w) 
input: 

— G a certain k x n generator matrix of a code < €\ 

— w a certain weight. 

output: a generator matrix G' of a subcode of V obtained from the supports of a certain subset of 
codewords of weight w in ^ . 

^ LowWeightCodewordSearch(G, w) {Produces a set of linear combinations of rows of G of 

weight < w} 

Initialize an array tab of length n to zero 
t <S— Threshold(w, n, k, 
for all c 6 ^ do 
for i £ [l..n] do 
if Ci — 1 then 

tab[i] <— tdb[i] + 1 
end if 
end for 
end for 

£<- 

for j G [l..n] do 

if ta&[i] > t then 
C <r- £\\{i} 

end if 
end for 

G' <s— SorthenedCode(G, C) {Produces a generator matrix for the subcode of <<f formed by the codewords 
of whose coordinates outside C are all equal to 0.} 
return G' . 



Table 1. Parameters for the second scheme suggested in |LJ12| . 
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riB 


k 




6 


c 


L 


m 


/; (number of errors) 


1800 


1020 


1160 


660 


20 


30 


25 


12 


45 



Setting the weight parameter w accurately when calling the function LowWeight is the key for 
finding the 60 last positions. If w is chosen to be too large, for instance when w = 22, running 
Dumer's low weight codeword search algorithm |Dum91| gave the result given in Figure [3] concern- 
ing the frequencies of the code positions involved in the codewords of weight less than 22 output 
by the algorithm and stored in table tab during the execution of the algorithm. 

We see in Figure [3] that this discriminates the 90 last code positions and not as we want the 
60 last code positions. However choosing w to be equal to 18 enables to discriminate the 60 last 
positions as shown in Figure [4] 

Data used in Figure [4] come from 3900 codewords generated in one hour and a half on an Intel 
Xeon W3550 (3 GHz) CPU by a monothread implementation in C of Dumer's algorithm. The 
message recovery part of the attack involving the Goppa code consists in decoding 25.5 errors on 
average in a linear code of dimension 660 and length 1020. The time complexity is about 2 42 . This 
second part of the attack could be achieved using the previous program on the same computer in 
about 6.5 hours on average. 

5 Analysis of the security of the scheme 
5.1 An improved attack 

The purpose of this section is to provide a very crude analysis of the security of the scheme. We 
will not analyze our attack detailed in Section [3j since even if it was enough to break the second 
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Fig. 3. The frequencies of the code positions involved in codewords of weight < 22 output by Dumer's 
algorithm. 
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Fig. 4. The frequencies of the code positions involved in codewords of weight < 18 output by Dumer's 
algorithm. 



scheme suggested in |LJ12) it is not the most efficient one. We will give a sketch of a better attack 
and a rough analysis for it. Basically, the real threat on this scheme comes from the fact that there 



exists a subcode ^ of ^ pu b of very small support (of size 2c here), namely the code generated 
by the last b rows of G scc permuted by the secret permutation matrix P. For instance, there arc 
about 2 b ~ 1 codewords of weight less than or equal to c which should be found by a low weight 
codeword searching algorithm and which should reveal the support of < €. This is basically the idea 
underlying our attack. However there are other subcodes of rather small support which yield low 
weight codewords, namely the codes ^ generated by the s x b last rows of G for s ranging between 
2 and L. The support of ^ s is of size (s + l)c. Notice that its rate gets closer and closer to the rate 
| (which is more or less the rate of the final code) as s increases. This is a phenomenon which 
helps low weight codeword algorithms as will be explained later on. 

An improvement of our attack would consist in using a low weight codeword algorithm in order 
to find one of the codewords of and to use this codeword c to bootstrap from here to find the 
whole support of This is very much in the spirit of the attack against the KKS scheme which 
is explained in Algorithm 2 which can be found in Subsection 4.4 of [OTllj . With this approach, 
by using the codeword which has already been found, it is much easier to find new ones belonging 
to the same subcode with small support by imposing that the information set used for finding low 
weight codewords is chosen outside the positions belonging to the support of c. The complexity 
of the whole attack is dominated in this case by the complexity of finding just one codeword in 
'rf when there is a good way to identify the candidates in ^€ (which can be done by checking the 
weight of c) . Notice that it is very likely that ^ is actually the sub code of ^ of dimension b which 
has the smallest support. Recall here that this is precisely the notion captured by the generalized 
Hamming weights of a code [WY93j, Wi being defined as the smallest support of a subcode of 
dimension i. In other words w\ is nothing but the minimum distance of the code and in our case 
it is likely that Wb — 2c (and more generally w s b — (s + l)c for s = 1..L). In other words, the 
problem which should be difficult to solve is the following one 

Problem 1 . Find one of the subcodes of dimension s x b whose support size is the s x 6-th generalized 
Hamming weight of %? pu b- 

We will focus now on the following approach to solve this problem. Consider a low weight 
codeword algorithm which aims at finding low weight codewords in a code of dimension k by 
picking up a random set of positions X of size slightly larger than k, say k + I and which looks 
for all (or at least a non- negligible fraction) of codewords which have weight equal to some small 
quantity p over these positions. These quantities are very good candidates for having low weight 
over the whole support. This is precisely the approach which is followed in the best low weight 
codeword search algorithms such as Stc88 Dum91 MMT11 BJMM12J. We run such an algorithm 
for several different sets X and will be interested in the complexity of outputting at least one 
codeword which belongs to . This is basically the approach which has been very successful to 
break the KKS scheme [O Tllj and which is the natural candidate to break the |LJ12j scheme. 

To analyze such an algorithm we will make some simplifying assumptions 

— The cost of checking one of those X is of order O (^L + ^\ where L — yj ( k p l ) ■ We neglect 
here the cost coming from writing the parity-check matrix in systematic form and this does 
not really cover the recent improvements in [MMT11 BJMM12 . We have made here such an 
approximation for sake of simplicity. We refer to |FS09| for an explanation of this cost. 

— We assume that the result of the puncturing of ^ by all positions which do no belong to its 
support behaves like a random code of dimension k' and length n' . 

Our main result to analyze such an algorithm consists in the following proposition. 

Proposition 1. Let 

— f(x) be the function defined by f(x) =^max (x(l — x/2), 1 — ~"\ ; 



p(s) 



(<!+i) 




- C(k, l,p) = f L + % where L flfj; 

Then the complexity that the low weight codeword search algorithm outputs an element in & is of 
order 

f C{k,l,p) \ 



5.2 Proof of Proposition [T] 

Our first ingredient is a lower bound on the probability that a given set X intersects a random 
linear code ^-and of dimension k and length n picked up uniformly at random. This lemma gives a 
sharp lower bound even when X is very large and when there is a big gap between the quantities 
prob(X n ^-and ^ 0) = prob(U xeX {x £ % an d}) and Ysxex prob(x £ % an d)- 

def 

Lemma 1. Let X be some subset of F% of size m and let f be the function defined by f(x) = 
max (x(l — x/2), 1 — We denote by x the quantity 2 ^L k , then 

P voh{Xr\^ mnd ^%) > f(x). 

This lemma can be found in |OTllj and it is proved there. 

Let us finish now the proof of Proposition [T] Denote by J the support of 

J d =i f supp(^). 

Let us first calculate the expected number of sets I we have to consider before considering an 
element of % ' . Such an event happens precisely when there is a nonzero word in ^f whose restriction 
to Zn J is of weight equal to p. Let fmj be the restriction of the codewords of ^ to the positions 
which belong tolflj, that is 

^inj — {( c i)i£Tnj '■ {ci)i<i<n £ c f}- 

Let X be the set of non-zero binary words of support Tf\J which have weight equal to p. Denote 
by W the size of I n J. The probability that W is equal to s is precisely 

prob(VK = s) = - k n +l ~ s = p{s). 

\k+l) 

Then the probability P that a certain choice of I gives among the codewords considered by the 
algorithm a codeword of ^ can be expressed as 

n 

P = Y^ P roh (W = s)prob(X n %f" ^ 0) 

s=l 
n 

>X>(*)/(A) 

s=l 

by using Lemma [l] with If' and the aforementioned X . Therefore the average number of iterations 
which have to be performed before finding an element in is equal to -p and this yields immediately 
Proposition [T] 



(1) 
(2) 



5.3 Repairing the parameters and a pitfall 



A possible way to repair the scheme consists in increasing the size of the random part (which 
corresponds to the last c columns in G scc here). Instead of choosing this part to be of size c as 



suggested in |LJ12| . its size can be increased in order to thwart the algorithm of Subsection 5.1 



Let r be the number of random columns we add at the end of the convolutional part, so that the 
final length of the code is now tib + Lc + r instead of ub + (L + l)c as before. If we choose r 
to be equal to 140, then the aforementioned attack needs about 2 80 operations before outputting 
an element of ft which is the (permuted) subcode corresponding to the last b rows of G scc . As 
before, let us denote by ^ s the permuted (by P) subcode of ^ P ub generated by the last s x b rows 
of G scc permuted by P. We can use the previous analysis to estimate the complexity of obtaining 
an element of ^ by the previous algorithm. We have gathered the results in Table [2] 



Table 2. Complexity of obtaining at least one element of ^ by the algorithm of Subsection |5.1| 



s 


1 


5 


10 


15 


20 


21 


22 


25 


complexity (bits) 


80.4 


72.1 


65.1 


61.0 


59.4 


59.3 


59.4 


59.8 



We see from this table that in this case the most important threat does not come from finding 
low weight codewords arising from codewords in ^i, but codewords of moderate weight arising 
from codewords in for instance. Codewords in this code have average weight r +~ 0c = 370. 
This implies that a simple policy for detecting such candidates which consists in keeping all the 
candidates in the algorithm of Subsection 5.1 which have weight less than this quantity is very 
likely to filter out the vast majority of bad candidates and keep with a good chance the elements 
of ^20- Such candidates can then be used as explained in Subsection |5.1| to check whether or not 
they belong to a subcode of large dimension and small support. 

There is a simple way for explaining what is going on here. Notice that the rate of ^ is equal 
to -7- , which is much smaller than the rate of the overall scheme which is close to - in this case 
by the choice of the parameters of the Goppa code. However as s increases, the rate of gets 
closer and closer to -, since its rate is given by = , b , . Assume for one moment that the 

c' o J sc+r c+r/s 

rate of 1f a is equal to -. Then putting G pu b in systematic form (which basically means that we 
run the aforementioned algorithm with p = 1 and I = 0) is already likely to reveal most of the 
support of by looking at the support of the rows which have weight around (notice that 
this phenomenon was already observed in |Ove07j V This can be explained like this. We choose I 
to be of size k, the dimension of ^pubj an d to be an information set for ^ pu b- Then, because the 
rate of ^ is equal to the rate of ^ pu b, we expect that the size of In J' (where J is the support of 
^s) has a rather good chance to be of size smaller than or equal to the dimension of This in 
turn implies that it is possible to get codewords from *€ a by any choice over the information set I 
of weight 1 which is non zero over IC\ J (and therefore of weight 1 there) . More generally, even 
if X fl J is slightly bigger than the dimension of ^ we expect to be able to get codewords in ^ 
a soon as p is greater than the Gilbert- Varshamov distance of the restriction "jfj of ^ s told J, 
because there is in this case a good chance that this punctured code has codewords of weight p. 
This Gilbert- Varshamov distance will be very small in this case, because the rate of ^ is very 
close to 1 (it is expected to be equal to d p^j|^ )■ 

Nevertheless, it is clear that it should be possible to set up the parameters (in particular 
increasing r should do the job) so that existing low weight codeword algorithms should be unable 
to find these subcodes ^ s with complexity less than some fixed threshold. However, all these codes 

have to be taken into account and the attacks on the dual have also to be reconsidered carefully 
f |LJ12J considered only attacks on the dual aiming at finding the codewords of lowest weight, but 
obviously the same technique used for finding some of the will also work for the dual) . Moreover, 
even if by construction the restriction of %f = ^\ to its support should behave as a random code, 
this is not true anymore for ^ with s greater than one, due to the convolutional structure. The 



analysis sketched in Subsection |5.1| should be adapted a little bit for this case and should take 
into account the improvements over low weight searching algorithms [MMT11 BJMM12 . Finally, 
setting up the parameters also requires a careful study of the error probability that sequential 
decoding fails. This whole thread of work is beyond the scope of the present paper. 
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